XNAT is an open source imaging informatics platform developed by the Neuroinformatics Research Group at Washington University. XNAT was originally developed in the Buckner Lab at Washington University, now at Harvard University. It facilitates common management, productivity, and quality assurance tasks for imaging and associated data. Thanks to its extensibility, XNAT can be used to support a wide range of imaging-based projects.
Tested with following versons:
OS : Scientific Linux 7.2
XNAT version: 1.6.5
Java Version: 1.7.0_79
AD : Windows Server 2012 R2
Let's assume that,
- Your organisation's active directory domain is : myorg.com.au
- All your users are located in People OU in the root of the domain
- The directory server DNS name is : dc01.myorg.com.au
- The ldap service account to access and read domain information is located in : myorg.com.au/People/Service Accounts
- The service account to access the directory is : srvldap and Passoword is : password
Official documentation on how to configure XNAT for LDAP authentication is located here.
Services.Properties Configuration - XNAT 1.6.x Documentation - XNAT Documentation Wiki
The purpose of this post is to provide you with accurate configuration options to make XNAT work with Active Directory.
This is how a working configuration should looks like in XNAT /apache-tomcat-7.0.68/webapps/xnat/WEB-INF/conf/services.properties file. (Note that the path will be different in your implementation)
############# services.properties #############
# Comma-separated list of the providers that users will be able to use to authenticate.
provider.providers.enabled=db,ldap1
provider.db.name=LOCAL
provider.db.id=localdb
provider.db.type=db
# Add "ldap1" to the enabled provider list above and fill in the missing fields to enable LDAP authentication.
provider.ldap1.name=MYORG
provider.ldap1.id=ldap1
provider.ldap1.type=ldap
provider.ldap1.address=ldap://dc01.myorg.com.au:389/dc=myorg,dc=com,dc=au
provider.ldap1.userdn=myorg.com.au/People/Service Accounts/srvldap
provider.ldap1.password=password
provider.ldap1.search.base=ou=People
provider.ldap1.search.filter=(sAMAccountName={0})
############ END services.properties ###########
Note that ,
1. On the provider.ldap1.address field, I have used:dc=myorg,dc=com,dc=au instead of using recommended dc=au,dc=com,dc=myorg. This order is important. Other wise you will get the following error in your XNAT security.log file.
"Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials"
2. Canonical name for provider.ldap1.userdn field instead of DN
Some helpful tips:
1. To enable debugging in XNAT security log , change flags shown below in the log4j.properties file.
This file is located in /apache-tomcat-7.0.68/webapps/xnat/WEB-INF/conf/ folder
Change flags from WARN to DEBUG
# Security logs, both Spring Framework and XNAT
log4j.category.org.springframework.security=DEBUG, security
log4j.additivity.org.springframework.security=false
log4j.category.org.nrg.xnat.security=DEBUG, security
log4j.additivity.org.nrg.xnat.security=false
2. Use JXplorer to test the connectivity to the Active Directory. Using a Java based tool like JXplorer will help you to troubleshoot the issues better in this type of scenarios as XNAT is also based on Java.
A helpful reference: XNAT 1.6.3 LDAP Error - Google Groups